b'                      SPECTO\n                 IN            R\n             F                     G\n         O                             E\n     E\n\n\n\n\n                                       N\n     C\n\n\n\n\n                                           E\nFI\n\n\n\n\n                                           RA\nOF\n\n\n\n\n                                               L\n                                                   OFFICE OF INSPECTOR GENERAL\n                                                       EXPORT-IMPORT BANK\n                                                        of the UNITED STATES\n\n\n\n\n                 Fiscal Year 2013 Information\n                     Security Program and\n                        Practices Audit\n\n\n\n\n                                                                      March 26, 2014\n                                                                       OIG-AR-14-03\n\x0cTo:         Fernanda Young, Chief Information Officer\n\nFrom:       Arturo Cornejo AC\n            Acting Assistant Inspector General for Audits\n\nSubject:    Fiscal Year 2013 Information Security Program and Practices Audit\n            OIG-AR-14-03\n\nDate:       March 26, 2014\n\n\nThis memorandum transmits Cotton & Company LLP\xe2\x80\x99s audit report of Export-\nImport Bank\xe2\x80\x99s (Ex-Im Bank) Information Security Program for Fiscal Year 2013.\nUnder a contract monitored by this office, we engaged the independent public\naccounting firm of Cotton & Company to perform the audit. The objective of the\naudit was to determine whether the Ex-Im Bank developed adequate and effective\ninformation security policies, procedures, and practices in compliance with the\nFederal Information Security Management Act of 2002 (FISMA).\n\nCotton & Company determined that overall Ex-Im Bank continues to improve and\nstrengthen its information security program and is addressing the challenges in\neach of the areas that the Office of Management and Budget identified for the fiscal\nyear 2013 FISMA review. However, Ex-Im Bank is not compliant with all FISMA\nrequirements. The report contains six recommendations for corrective action.\nManagement concurred with the recommendations and we consider management\xe2\x80\x99s\nproposed actions to be responsive. The recommendations will be closed upon\ncompletion and verification of the proposed actions.\n\nWe appreciate the cooperation and courtesies provided to Cotton & Company and\nthis office during the audit. If you have questions, please contact Julie Wong\n(202) 565-3920 Julie.Wong@exim.gov, or me at (202) 565-3499\nArturo.Cornejo@exim.gov. You can obtain additional information about the Export-\nImport Bank Office of Inspector General and the Inspector General Act of 1978 at\nwww.exim.gov/oig.\n\n\n\ncc:     Fred P. Hochberg, Chairman and President\n        C.J. Hall, Executive Vice President and Chief Risk Officer\n        Michael Cushing, Senior Vice President and Chief Operating Officer\n        Audit Committee\n\n\n\n                   811 Vermont Avenue, NW Washington, D.C. 20571\n\x0cJohn Lowry, Director, Information Technology Security and Systems\n  Assurance\nInci Tonguch-Murray, Business Compliance Officer\nCristopolis Dieguez, Business Compliance Analyst\nGeorge Bills, Partner, Cotton & Company LLP\n\n\n\n\n          811 Vermont Avenue, N.W. Washington, D.C. 20571\n\x0cOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, NW\nWashington, DC 20571\n202-565-3908\nwww.exim.gov/oig\n\x0c'